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DETAILED ACTION 

1 . Claims 1-6 are pending in this application. 

Claim Rejections - 35 USC § 102 

2. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 

3. Claim 1 , 3, 4, 5 and 6 are rejected under 35 U.S.C. 102(e) as being anticipated 
by Gales (U.S. Publication No. 2003/0084323 A1 ), 

Regarding claim 1, Gales clearly shows and discloses a method suitable for 
filtering events in an information technology resource monitor, comprising: 
determining a present count of occurrences of an event for a present monitoring period 
(Fig. 3; [0021], lines 1-5); 

comparing the present count with numbers of occurrences of the event in a 
plurality of earlier monitoring periods (Periodically, the profile application acquires 
network activity log, which is generated by monitoring application, and uses this data to 
generate activity profile. The recognition engine then compares this activity profile 
against future network activity. )([0022], lines 1-6 and 11-17; [0023], lines 2-5); 
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invoking a first action if the present count exceeds a predetermined proportion of 
the numbers of occurrences of the event in the plurality of earlier monitoring periods 
([0023], lines 9-13; Fig. 3, items 214 and 216); and 

invoking a second action if the present count does not exceed the predetermined 
proportion of the numbers of occurrences of the event in the plurality of earlier 
monitoring periods ([0025], lines 1-5; Fig. 3, item 214, loopback). 

Regarding claim 3, Gales clearly shows and discloses the method of claim 1 , 
wherein the second action includes logging the present count without taking further 
corrective action (The monitor application records the events it is rhonitoring to a 
network activity log, which is later incorporated into a network profile. Both the log and 
profile are stored as databases, and further action beyond logging is only taken in the 
event the recorded events exceed a threshold which invokes the first action. )([0014], 
lines 11-15; [001 6], lines 1-6). 

Regarding claim 4, Gales clearly shows and discloses the method of claim 1 , 
wherein the plurality of earlier monitoring periods all begin at the same times on 
consecutive days previous to the present monitoring period. (Gales teaches the activity 
profile being updated in accordance with predefined time periods.)([0022], lines 11-15). 

Regarding claim 5, Gales clearly shows and discloses a program storage device 
readable by a machine, tangibly embodying a program of instructions executable by the 
machine to perform method steps suitable for filtering events in an information 
technology resource monitor, said method step comprising: 
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determining a present count of occurrences of an event for a present monitoring 
period ([0014], lines 1-3 and 6-13); 

comparing tlie present count with numbers of occurrences of the event in a 
plurality of earlier monitoring periods ([0014], lines 15-18 ); 

invoking a first action if the present count exceeds a predetermined proportion of 
the numbers of occurrences of the event in the plurality of earlier monitoring periods 
([0014], lines 18-21); and 

invoking a second action if the present count does not exceed the predetermined 
proportion of the numbers of occurrences of the event in the plurality of earlier 
monitoring periods (Gales teaches different actions being performed based on whether 
events recorded in activity log exceed threshold established in activity profile.)([0014], 
lines 15-18; [0018], lines 8-12). 

Regarding claim 6, Gales clearly shows and discloses a filter suitable for filtering 
events in an information technology resource monitor, said filter comprising: 

an event counter for determining a present count of occurrences of an event for a 
present monitoring period (Fig. 3; [0021], lines 1-5); 

a history table for storing numbers of occurrences of the event in earlier 
monitoring periods (The activity log, which records events logged during time periods, is 
stored in a database.) (Fig. 2; [0016], lines 1-4); and 

logic for comparing the present count with numbers of occurrences of the event 
in a plurality of earlier monitoring periods selected from the history table, invoking a first 
action if the present count exceeds a predetermined proportion of the numbers of 
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occurrences of the event in the plurality of earlier monitoring periods, and invoking a 
second action if the present count does not exceed the predetermined proportion of the 
numbers of occurrences of the event in the plurality of earlier monitoring periods (Fig, 2; 
[0014], lines 16-21; [0016], lines 1-6). 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not Identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject nnatter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claim 2 is rejected under 35 U.S.C. 103(a) as being unpatentable over Gales in 

view of Porras et al. (US Publication No. 2004/0010718 A1), hereinafter referred to as 
Porras. 

Regarding claim 2, Gales clearly discloses a method for filtering events in an 
information technology resource. However, Gales does not disclose a method wherein 
the predetermined proportion is a majority. 

In the same filed of endeavor, Porras does clearly show and disclose a method 
of employing a wide range of statistical measures to compare the number of 
occurrences of events in a current monitoring period with the number of occurrences of 
events in past monitoring periods, reading on the claimed "wherein the predetermined 
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proportion is a majority," ([0035], lines 1-3; [0040]). In light of computer networks 
becoming more sophisticated and interoperable and subject to both increasing levels of 
reliance by users and malicious and coordinated attacks, the method of Porras to 
perform comparisons using a range of statistical measures was within the ordinary 
ability of one motivated to improve upon methods of detecting suspicious network 
activity and, more generally, networking monitoring (Porras: [0005]; [0006]). 

Therefore, it would have been obvious to a person of ordinary skill in the art at 
the time the invention was made to combine the statistical comparison methods taught 
by Porras with the method of Gales in order to filter events to obtain the invention 
specified in claim 2. 

Conclusion 

6. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Rowland, (U.S. Patent No. 6,405,318) 

Weber et al., (U.S. Publication No. 2006/0173992) 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Clayton Williams whose telephone number is 571-270- 
3801 . The examiner can normally be reached on M-F (7-30 a.m. - 5 p.m.). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nabil El-Hady can be reached on 571-272-3963. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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